netsupport

data_sources/sysmon_eventid_29.yml

@@ -0,0 +1,62 @@
+name: Sysmon EventID 29
+id: 06c61e04-2d07-4e85-bcd5-8110938b1b18
+version: 1
+date: '2025-11-14'
+author: Teoderick Contreras, Splunk
+description: Data source object for Sysmon EventID 29
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: XmlWinEventLog
+separator: EventID
+configuration: https://github.com/SwiftOnSecurity/sysmon-config
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709
+  version: 5.0.0
+fields:
+- _time
+- action
+- dest
+- dvc
+- Image
+- EventID
+- EventCode
+- event_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- User
+- UserID
+- TargetFilename
+- process_id
+- ProcessID
+- Hashes
+- EventRecordID
+- Keywords
+- Channel
+- IMPHASH
+- file_hash
+- file_name
+- file_path
+- severity
+- signature
+- signature_id
+- user
+- user_id
+- SecurityID
+- process_guid
+output_fields:
+- Image
+- file_name
+- file_path
+- process_guid
+- file_hash
+- process_id
+- dest
+- user
+- EventCode
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>29</EventID><Version>5</Version><Level>4</Level><Task>29</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2025-11-14T10:09:37.700533300Z'/><EventRecordID>3374716</EventRecordID><Correlation/><Execution ProcessID='1668' ThreadID='2836'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2025-11-14 10:09:37.697</Data><Data Name='ProcessGuid'>{CA8A6768-FFA9-6916-9303-000000000304}</Data><Data Name='ProcessId'>1436</Data><Data Name='User'>AR-WIN-DC\Administrator</Data><Data Name='Image'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='TargetFilename'>C:\Users\Administrator\AppData\Local\Microsoft_Corporation\lScun7w.docx</Data><Data Name='Hashes'>MD5=1E6E804CA71EAF5BEF0ABEF95C578CF0,SHA256=6FFE12CDFE0A36DEC4B4A40ECDAFB4097B1AF7C340B0FCECF9F5C67B7FA8B299,IMPHASH=2C4D798BB87EC57193B7625C4259DA43</Data></EventData></Event>

detections/endpoint/add_or_set_windows_defender_exclusion.yml

@@ -1,7 +1,7 @@
 name: Add or Set Windows Defender Exclusion
 id: 773b66fe-4dd9-11ec-8289-acde48001122
-version: 11
-date: '2025-10-01'
+version: 12
+date: '2025-11-20'
 author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
@@ -93,6 +93,7 @@ tags:
     - WhisperGate
     - Windows Defense Evasion Tactics
     - Crypto Stealer
+    - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
     - T1562.001
@@ -106,4 +107,4 @@ tests:
     attack_data:
     - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log
       source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-      sourcetype: XmlWinEventLog
+      sourcetype: XmlWinEventLog

detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml

@@ -1,7 +1,7 @@
 name: Allow Inbound Traffic In Firewall Rule
 id: a5d85486-b89c-11eb-8267-acde48001122
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-11-20'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -53,6 +53,7 @@ rba:
 tags:
   analytic_story:
   - Prohibited Traffic Allowed or Protocol Mismatch
+  - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
   - T1021.001
@@ -66,4 +67,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021/allow_inbound_traffic_in_firewall_rule/windows-xml.log
     source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/detect_mshta_url_in_command_line.yml

@@ -1,7 +1,7 @@
 name: Detect MSHTA Url in Command Line
 id: 9b3af1e6-5b68-11eb-ae93-0242ac130002
-version: 15
-date: '2025-09-18'
+version: 16
+date: '2025-11-20'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -89,6 +89,7 @@ tags:
     - Suspicious MSHTA Activity
     - XWorm
     - Cisco Network Visibility Module Analytics
+    - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
     - T1218.005
@@ -107,4 +108,4 @@ tests:
     attack_data:
       - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log
         source: not_applicable
-        sourcetype: cisco:nvm:flowdata
+        sourcetype: cisco:nvm:flowdata

detections/endpoint/disable_windows_behavior_monitoring.yml

@@ -1,7 +1,7 @@
 name: Disable Windows Behavior Monitoring
 id: 79439cae-9200-11eb-a4d3-acde48001122
-version: 16
-date: '2025-10-14'
+version: 17
+date: '2025-11-20'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: TTP
@@ -69,6 +69,7 @@ tags:
   - RedLine Stealer
   - Cactus Ransomware
   - Scattered Lapsus$ Hunters
+  - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
   - T1562.001
@@ -82,4 +83,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/domain_controller_discovery_with_nltest.yml

@@ -1,7 +1,7 @@
 name: Domain Controller Discovery with Nltest
 id: 41243735-89a7-4c83-bcdd-570aa78f00a1
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-11-20'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -66,6 +66,7 @@ tags:
   - Medusa Ransomware
   - BlackSuit Ransomware
   - Rhysida Ransomware
+  - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
   - T1018
@@ -79,4 +80,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/icacls_grant_command.yml

@@ -1,7 +1,7 @@
 name: ICACLS Grant Command
 id: b1b1e316-accc-11eb-a9b4-acde48001122
-version: 8
-date: '2025-06-17'
+version: 9
+date: '2025-11-20'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -76,6 +76,7 @@ tags:
   - Crypto Stealer
   - XMRig
   - Defense Evasion or Unauthorized Access Via SDDL Tampering
+  - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
   - T1222
@@ -89,4 +90,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/lolbas_with_network_traffic.yml

@@ -1,7 +1,7 @@
 name: LOLBAS With Network Traffic
 id: 2820f032-19eb-497e-8642-25b04a880359
-version: 13
-date: '2025-10-20'
+version: 14
+date: '2025-11-20'
 author: Steven Dick
 status: production
 type: TTP
@@ -143,6 +143,7 @@ tags:
   - APT37 Rustonotto and FadeStealer
   - GhostRedirector IIS Module and Rungan Backdoor
   - Hellcat Ransomware
+  - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
   - T1105
@@ -158,4 +159,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/ntdsutil_export_ntds.yml

@@ -1,7 +1,7 @@
 name: Ntdsutil Export NTDS
 id: da63bc76-61ae-11eb-ae93-0242ac130002
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-11-20'
 author: Michael Haag, Patrick Bareiss, Splunk
 status: production
 type: TTP
@@ -72,6 +72,7 @@ tags:
   - Prestige Ransomware
   - Volt Typhoon
   - Rhysida Ransomware
+  - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
   - T1003.003
@@ -85,4 +86,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml

@@ -1,7 +1,7 @@
 name: Powershell Fileless Script Contains Base64 Encoded Content
 id: 8acbc04c-c882-11eb-b060-acde48001122
-version: 14
-date: '2025-10-24'
+version: 15
+date: '2025-11-20'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -68,6 +68,7 @@ tags:
   - GhostRedirector IIS Module and Rungan Backdoor
   - Hellcat Ransomware
   - Microsoft WSUS CVE-2025-59287
+  - NetSupport RMM Tool Abuse
   mitre_attack_id:
   - T1027
   - T1059.001

detections/endpoint/powershell_windows_defender_exclusion_commands.yml

@@ -1,7 +1,7 @@
 name: Powershell Windows Defender Exclusion Commands
 id: 907ac95c-4dd9-11ec-ba2c-acde48001122
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-11-20'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -61,6 +61,7 @@ tags:
   - Data Destruction
   - WhisperGate
   - Warzone RAT
+  - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
   - T1562.001
@@ -74,4 +75,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/powershell_windows_defender_exclusion_commands/windows-xml.log
     source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/registry_keys_used_for_persistence.yml

@@ -1,7 +1,7 @@
 name: Registry Keys Used For Persistence
 id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b
-version: 26
-date: '2025-09-18'
+version: 27
+date: '2025-11-20'
 author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk
 status: production
 type: TTP
@@ -117,6 +117,7 @@ tags:
   - Interlock Ransomware
   - 0bj3ctivity Stealer
   - APT37 Rustonotto and FadeStealer
+  - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
   - T1547.001

detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml

@@ -1,7 +1,7 @@
 name: Scheduled Task Deleted Or Created via CMD
 id: d5af132c-7c17-439c-9d31-13d55340f36c
-version: 21
-date: '2025-09-30'
+version: 22
+date: '2025-11-20'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -107,6 +107,7 @@ tags:
   - 0bj3ctivity Stealer
   - APT37 Rustonotto and FadeStealer
   - Lokibot
+  - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
   - T1053.005

detections/endpoint/suspicious_scheduled_task_from_public_directory.yml

@@ -1,7 +1,7 @@
 name: Suspicious Scheduled Task from Public Directory
 id: 7feb7972-7ac3-11eb-bac8-acde48001122
-version: 16
-date: '2025-09-30'
+version: 17
+date: '2025-11-20'
 author: Michael Haag, Splunk
 status: production
 type: Anomaly
@@ -90,6 +90,7 @@ tags:
   - Scattered Spider
   - APT37 Rustonotto and FadeStealer
   - Lokibot
+  - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
   - T1053.005

detections/endpoint/system_information_discovery_detection.yml

@@ -1,7 +1,7 @@
 name: System Information Discovery Detection
 id: 8e99f89e-ae58-4ebc-bf52-ae0b1a277e72
-version: 11
-date: '2025-08-27'
+version: 12
+date: '2025-11-20'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
@@ -83,6 +83,7 @@ tags:
   - Cleo File Transfer Software
   - Interlock Ransomware
   - LAMEHUG
+  - NetSupport RMM Tool Abuse
   asset_type: Windows
   mitre_attack_id:
   - T1082